As the head of IT for a school, it can be frustrating trying to sell cybersecurity to an unrelenting school board that doesn’t see the cost as a priority. This is why it’s vital to demonstrate the benefits of a proactive response to security threats, rather than waiting for an attack before deciding to finally upgrade your defenses.
Recognize the threat
Cybersecurity threats continue to evolve at an alarming rate, which means schools must be ready to respond to a new breed of attacks.
Ransomware attacks are prevalent across every sector, often gaining a foothold in an organization by tricking someone into opening an infected attachment or clicking on a malicious link. The infection will then quickly spread throughout the organization’s network, encrypting important files and demanding payment for their release. Other attacks might steal that data to sell on the dark web.
For schools, this sensitive data can include staff records, student medical information, academic results and much more. U.S. Federal law requires that student information be protected under the Family Educational Rights and Privacy Act, with schools found in violation facing stiff penalties. Similarly, all data collected by the Australian Government’s Department of Education is protected under the Privacy Act 1988.
The education sector has been bullied by ransomware attacks such as WannaCry and GoldenEye, suffering the highest rates of attack while having the least protected systems, according to security analyst firm BitSight. The firm's 'The Rising Face of Cyber Crime: Ransomware' report found that educational institutions were three times more likely to experience an attack than those in healthcare and 10 times more likely than those in finance.
Consider the consequences
Education providers that fall victim to cybersecurity attacks make the headlines, such as South Carolina's Dorchester County School District 2, which saw almost half of its servers crippled by a ransomware attack. The school was then forced to pay the ransom, yet still lost its data.
In light of the attack, the district is overhauling its cybersecurity defenses, but the damage to its reputation will take much longer to repair. The attack made the news after the district was forced to contact the families of 32 students, whose 2016–2017 data was not available in hard copy, and ask for their assistance in recovering lost information.
Get on the front foot
Rather than waiting for disaster to strike and then going into damage control, school boards must get on the front foot when it comes to cybersecurity. They have an obligation to understand the risks and protect the sensitive data of both students and staff, as well as protect the reputation of the school.